One skill that gets mentioned as an area of improvement for boards relates to IT or cyber expertise. Perceived shortcomings in any board risk oversight responsibility can often come with consequences – in connection with losses from Greensill Capital and Archegos, the recent resignation of the risk committee chair of Credit Suisse is one example. A recent Bloomberg article discusses board oversight of cyber risk and notes some boards have been adding “cyber experts” while others say boards need cyber literacy.
In terms of approach for providing cyber risk oversight, each board will decide what’s appropriate given the company’s particular facts and circumstances. When it comes to board cyber literacy, boards frequently rely on management to help the board stay up to date about cyber risks, while the article said some boards are turning to cyber consultants for help. The article includes a reminder from the head of Accenture Security that cyber literacy is a two-way street and management’s role shouldn’t be overlooked:
Boosting cyber literacy isn’t just about directors learning the language of security but ensuring that chief information security officers can explain their work. ‘We have to ensure the CISO can communicate effectively at the board level, not in bits and bytes.’
A 2019 report from University of California, Berkeley and Booz Allen Hamilton based on interviews with directors about beliefs, practices and aspirations relating to cybersecurity oversight recognizes the tension around the need for board cyber expertise. The report suggests boards re-assess decisions relating to cybersecurity oversight on a regular basis to take account of changes in internal and external risks. At the time of the study, a majority of directors interviewed leaned toward distributed cyber expertise among board members. The report provides these considerations for boards that might be leaning toward an “everyone” or a “cyber-expert” approach:
Leans “Everyone”
– Ensure adequate training and education is defined, used, and kept up-to-date
– Engage external third-party expertise for specialized knowledge, and most importantly to prevent group-think traps
– Amplify accountability for cyber oversight in subset groups (likely committees)
Leans “Cyber-Expert”
– Seek out specific board members who offer deep specialized knowledge of cyber (e.g., crisis management, technology, and threat landscape)
– Prioritize full board discussion of cyber oversight over committee delegation
– Engage external subject-matter experts to test and enhance internal expertise
-Lynn Jokela, TheCorporateCounsel.net May 6, 2021
